cycode-cli/.github/workflows/build_executable.yml at main · omerr-cycode/cycode-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
name: Build executable version of CLI and optionally upload artifact

on:
  workflow_dispatch:
    inputs:
      publish:
        description: 'Upload artifacts to release'
        required: false
        default: false
        type: boolean
  push:
    branches:
      - main

permissions:
  contents: write

jobs:
  build:
    name: Build on ${{ matrix.os }} (${{ matrix.mode }} mode)
    strategy:
      fail-fast: false
      matrix:
        os: [ ubuntu-22.04, macos-15-intel, macos-15, windows-2022 ]
        mode: [ 'onefile', 'onedir' ]
        exclude:
          - os: ubuntu-22.04
            mode: onedir
          - os: windows-2022
            mode: onedir

    runs-on: ${{ matrix.os }}

    defaults:
      run:
        shell: bash

    steps:
      - name: Run Cimon
        if: matrix.os == 'ubuntu-22.04'
        uses: cycodelabs/cimon-action@v0
        with:
          client-id: ${{ secrets.CIMON_CLIENT_ID }}
          secret: ${{ secrets.CIMON_SECRET }}
          prevent: true
          allowed-hosts: >
            files.pythonhosted.org
            install.python-poetry.org
            pypi.org
            uploads.github.com

      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Checkout latest release tag
        if: ${{ github.event_name == 'workflow_dispatch' }}
        run: |
          LATEST_TAG=$(git describe --tags `git rev-list --tags --max-count=1`)
          git checkout $LATEST_TAG
          echo "LATEST_TAG=$LATEST_TAG" >> $GITHUB_ENV

      - name: Set up Python 3.13
        uses: actions/setup-python@v4
        with:
          python-version: '3.13'

      - name: Load cached Poetry setup
        id: cached-poetry
        uses: actions/cache@v3
        with:
          path: ~/.local
          key: poetry-${{ matrix.os }}-2  # increment to reset cache

      - name: Setup Poetry
        if: steps.cached-poetry.outputs.cache-hit != 'true'
        uses: snok/install-poetry@v1
        with:
          version: 2.2.1

      - name: Add Poetry to PATH
        run: echo "$HOME/.local/bin" >> $GITHUB_PATH

      - name: Install dependencies
        run: poetry install --without dev,test

      - name: Import macOS signing certificate
        if: runner.os == 'macOS'
        env:
          APPLE_CERT: ${{ secrets.APPLE_CERT }}
          APPLE_CERT_PWD: ${{ secrets.APPLE_CERT_PWD }}
          APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }}
          APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
        run: |
          # import certificate
          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
          echo -n "$APPLE_CERT" | base64 --decode -o $CERTIFICATE_PATH

          # create temporary keychain
          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
          security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
          security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

          # import certificate to keychain
          security import $CERTIFICATE_PATH -P "$APPLE_CERT_PWD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
          security list-keychain -d user -s $KEYCHAIN_PATH

      - name: Build executable (onefile)
        if: matrix.mode == 'onefile'
        env:
          APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }}
        run: |
          poetry run pyinstaller pyinstaller.spec
          echo "PATH_TO_CYCODE_CLI_EXECUTABLE=dist/cycode-cli" >> $GITHUB_ENV

      - name: Build executable (onedir)
        if: matrix.mode == 'onedir'
        env:
          CYCODE_ONEDIR_MODE: 1
          APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }}
        run: |
          poetry run pyinstaller pyinstaller.spec
          echo "PATH_TO_CYCODE_CLI_EXECUTABLE=dist/cycode-cli/cycode-cli" >> $GITHUB_ENV

      - name: Test executable
        run: time $PATH_TO_CYCODE_CLI_EXECUTABLE status

      - name: Codesign onedir binaries
        if: runner.os == 'macOS' && matrix.mode == 'onedir'
        env:
          APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }}
        run: |
          # The standalone _internal/Python fails codesign --verify --strict because it was
          # extracted from Python.framework without Info.plist context.
          # Fix: remove the bare copy and replace with the framework version's binary,
          # then delete the framework directory (it's redundant).
          if [ -d dist/cycode-cli/_internal/Python.framework ]; then
            FRAMEWORK_PYTHON=$(find dist/cycode-cli/_internal/Python.framework/Versions -name "Python" -type f | head -1)
            if [ -n "$FRAMEWORK_PYTHON" ]; then
              echo "Replacing _internal/Python with framework binary"
              rm dist/cycode-cli/_internal/Python
              cp "$FRAMEWORK_PYTHON" dist/cycode-cli/_internal/Python
            fi
            rm -rf dist/cycode-cli/_internal/Python.framework
          fi

          # Sign all Mach-O binaries (excluding the main executable)
          while IFS= read -r file; do
            if file -b "$file" | grep -q "Mach-O"; then
              echo "Signing: $file"
              codesign --force --sign "$APPLE_CERT_NAME" --timestamp --options runtime "$file"
            fi
          done < <(find dist/cycode-cli -type f ! -name "cycode-cli")

          # Re-sign the main executable with entitlements (must be last)
          codesign --force --sign "$APPLE_CERT_NAME" --timestamp --options runtime --entitlements entitlements.plist dist/cycode-cli/cycode-cli

      - name: Notarize macOS executable
        if: runner.os == 'macOS'
        env:
          APPLE_NOTARIZATION_EMAIL: ${{ secrets.APPLE_NOTARIZATION_EMAIL }}
          APPLE_NOTARIZATION_PWD: ${{ secrets.APPLE_NOTARIZATION_PWD }}
          APPLE_NOTARIZATION_TEAM_ID: ${{ secrets.APPLE_NOTARIZATION_TEAM_ID }}
        run: |
          # create keychain profile
          xcrun notarytool store-credentials "notarytool-profile" --apple-id "$APPLE_NOTARIZATION_EMAIL" --team-id "$APPLE_NOTARIZATION_TEAM_ID" --password "$APPLE_NOTARIZATION_PWD"

          # create zip file (notarization does not support bare binaries)
          ditto -c -k --keepParent dist/cycode-cli notarization.zip

          # notarize app (this will take a while)
          NOTARIZE_OUTPUT=$(xcrun notarytool submit notarization.zip --keychain-profile "notarytool-profile" --wait 2>&1) || true
          echo "$NOTARIZE_OUTPUT"

          # extract submission ID for log retrieval
          SUBMISSION_ID=$(echo "$NOTARIZE_OUTPUT" | grep "  id:" | head -1 | awk '{print $2}')

          # check notarization status explicitly
          if echo "$NOTARIZE_OUTPUT" | grep -q "status: Accepted"; then
            echo "Notarization succeeded!"
          else
            echo "Notarization failed! Fetching log for details..."
            if [ -n "$SUBMISSION_ID" ]; then
              xcrun notarytool log "$SUBMISSION_ID" --keychain-profile "notarytool-profile" || true
            fi
            exit 1
          fi

          # we can't staple the app because it's executable

      - name: Verify macOS code signatures
        if: runner.os == 'macOS'
        run: |
          FAILED=false
          while IFS= read -r file; do
            if file -b "$file" | grep -q "Mach-O"; then
              if ! codesign --verify "$file" 2>&1; then
                echo "INVALID: $file"
                codesign -dv "$file" 2>&1 || true
                FAILED=true
              else
                echo "OK: $file"
              fi
            fi
          done < <(find dist/cycode-cli -type f)

          if [ "$FAILED" = true ]; then
            echo "Found binaries with invalid signatures!"
            exit 1
          fi

          codesign -dv --verbose=4 $PATH_TO_CYCODE_CLI_EXECUTABLE

      - name: Test macOS signed executable
        if: runner.os == 'macOS'
        run: |
          file -b $PATH_TO_CYCODE_CLI_EXECUTABLE
          time $PATH_TO_CYCODE_CLI_EXECUTABLE status

      - name: Import cert for Windows and setup envs
        if: runner.os == 'Windows'
        env:
          SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
        run: |
          # import certificate
          echo "$SM_CLIENT_CERT_FILE_B64" | base64 --decode > /d/Certificate_pkcs12.p12
          echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"

          # add required soft to the path
          echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
          echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH

      - name: Sign Windows executable
        if: runner.os == 'Windows'
        shell: cmd
        env:
          SM_HOST: ${{ secrets.SM_HOST }}
          SM_KEYPAIR_ALIAS: ${{ secrets.SM_KEYPAIR_ALIAS }}
          SM_API_KEY: ${{ secrets.SM_API_KEY }}
          SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
          SM_CODE_SIGNING_CERT_SHA1_HASH: ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}
        run: |
          :: setup SSM KSP
          curl -X GET  https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi
          msiexec /i smtools-windows-x64.msi /quiet /qn
          C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
          smctl windows certsync --keypair-alias=%SM_KEYPAIR_ALIAS%

          :: sign executable
          signtool.exe sign /sha1 %SM_CODE_SIGNING_CERT_SHA1_HASH% /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 ".\dist\cycode-cli.exe"

      - name: Test Windows signed executable
        if: runner.os == 'Windows'
        shell: cmd
        run: |
          :: call executable and expect correct output
          .\dist\cycode-cli.exe status

          :: verify signature
          signtool.exe verify /v /pa ".\dist\cycode-cli.exe"

      - name: Prepare files for artifact and release (rename and calculate sha256)
        run: echo "ARTIFACT_NAME=$(./process_executable_file.py dist/cycode-cli)" >> $GITHUB_ENV

      - name: Upload files as artifact
        uses: actions/upload-artifact@v4
        with:
          name: ${{ env.ARTIFACT_NAME }}
          path: dist

      - name: Verify macOS artifact end-to-end
        if: runner.os == 'macOS' && matrix.mode == 'onedir'
        uses: actions/download-artifact@v4
        with:
          name: ${{ env.ARTIFACT_NAME }}
          path: /tmp/artifact-verify

      - name: Verify macOS artifact signatures and run with quarantine
        if: runner.os == 'macOS' && matrix.mode == 'onedir'
        run: |
          # extract the onedir zip exactly as an end user would
          ARCHIVE=$(find /tmp/artifact-verify -name "*.zip" | head -1)
          echo "Verifying archive: $ARCHIVE"
          unzip "$ARCHIVE" -d /tmp/artifact-extracted

          # verify all Mach-O code signatures
          FAILED=false
          while IFS= read -r file; do
            if file -b "$file" | grep -q "Mach-O"; then
              if ! codesign --verify "$file" 2>&1; then
                echo "INVALID: $file"
                codesign -dv "$file" 2>&1 || true
                FAILED=true
              else
                echo "OK: $file"
              fi
            fi
          done < <(find /tmp/artifact-extracted -type f)

          if [ "$FAILED" = true ]; then
            echo "Artifact contains binaries with invalid signatures!"
            exit 1
          fi

          # simulate download quarantine and test execution
          # this is the definitive test — it triggers the same dlopen checks end users experience
          find /tmp/artifact-extracted -type f -exec xattr -w com.apple.quarantine "0081;$(printf '%x' $(date +%s));CI;$(uuidgen)" {} \;
          EXECUTABLE=$(find /tmp/artifact-extracted -name "cycode-cli" -type f | head -1)
          echo "Testing quarantined executable: $EXECUTABLE"
          time "$EXECUTABLE" status

      - name: Upload files to release
        if: ${{ github.event_name == 'workflow_dispatch' && inputs.publish }}
        uses: svenstaro/upload-release-action@v2
        with:
          file: dist/*
          tag: ${{ env.LATEST_TAG }}
          overwrite: true
          file_glob: true